Amazon GuardDuty has added three new threat detections. Two of the detections are new penetration testing detections and the third a policy violation detection. These three new detections represent the latest in a continuously growing library of fully managed threat detections available for customers who enable Amazon GuardDuty in their AWS accounts.

The two new detections related to penetration testing alert you to any machine running Parrot Linux or Pentoo Linux making an API call using your AWS credentials. These new detections expand upon the existing Kali Linux detection to now also cover Parrot Linux and Pentoo Linux. While there are legitimate uses for these tools, they can also be used by malicious actors who have obtained stolen account credentials. These new finding types are: PenTest:IAMUser/ParrotLinux and PenTest:IAMUser/PentooLinux.

Amazon GuardDuty has also added a new policy violation detection that alerts you to any request in which AWS account root credentials are used. This new policy violation detection informs you that root AWS account credentials are being used to make programmatic requests to AWS services or login to the AWS Management Console. Avoiding the use of root credentials to access AWS services is a highly recommended security best practice. This new finding type is: Policy:IAMUser/RootCredentialUsage.

Once enabled, Amazon GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources, including your AWS accounts and access keys. GuardDuty identifies unusual or unauthorized activity, like cryptocurrency mining or infrastructure deployments in a region that has never been used. When a threat is detected, you are alerted with a GuardDuty security finding that provides detail of what was observed and the resources involved. Powered by threat intelligence and machine learning, GuardDuty is continuously evolving to help you protect your AWS environment.